The port error is a red herring: it occurs because the policy failed to load.

Problem is that we need to access shadow_t to verify passwords..

​SELinux insides – Part2: Neverallow assertions: We need to be sure that we do not allow any unwanted/unsecure/dangerous actions. For example, we do not want to allow ordinary services to access /etc/shadow.
We are not an ordinary service since we do authentication against the system passwords.

According to ​Why does it access /etc/shadow?: these two macros should be enough to make us use chkpwd via a subprocess (the process transition takes care of the selinux permissions) rather than the in-process access:

auth_use_pam(xpra_t)
selinux_getattr_fs(xpra_t)

Unfortunately, that doesn't work at all here and PAM fails with a rather cryptic message:

After testing in a Fedora 27 VM, looks like we also need r17390 + r17391 + r17402.
Whatever this new "map" thing is meant to do, it causes all sorts of problems.
(ldconfig also triggers audit warnings with "map" on /usr/bin/ldconfig - maybe there is a more generic way of execing subprocesses without needing this new permission?)